Feeds

Security muddle better than FUDdle

Meanwhile, in the real world...

  • alert
  • submit to reddit

5 things you didn’t know about cloud backup

Whether it's a student slipping contraband past airport metal detectors, or a researcher modeling an unstoppable computer virus - demonstrations just don't do justice to the real state of security, writes SecurityFocus columnist George Smith.

Look at a photo of Nathaniel Heatwole, the student who performed pro bono security testing on Southwest Airlines. Neat and freshly-scrubbed, he's a good fellow at Guilford College, the winner of a cash award for ham radio broadcasters -- a white-hat hacker trying to make air travel safer.

Not only did Heatwole push box-cutters and other items symbolically meant to appear menacing through airport security, he also showed that the sharing of information isn't so hot. Heatwole warned the Transportation Security Administration about his work in e-mail. The TSA, however, receives 5,700 e-mails a day. In the electronic blizzard, the notification was missed for weeks.

This play has repeated itself in every aspect of physical and electronic security for as long as I've written about the subject. Anyone who has followed the public history of computer intrusion will find the Heatwole case reminiscent of things they have either had to deal with personally or learned of through schooling and the media.

Sending Heatwole to trial is a waste of time. No one was threatened or put in danger, and even the agency that received the black eye, the TSA, didn't have its leaders or employees personally singled out for embarrassment. There was no inconvenience or economic loss. Heatwole has even been reticent with the media, so even if an aim was to be showy, he's been low-key about it.

However, do such things improve security?

After years of thinking about the subject and witnessing similar cases weekly, my gut feeling is they don't. Despite good intent, and even with attention paid, Heatwole will not make security better on the airlines. There are too many carry-on bags to screen with the degree of discernment required to catch everything, and the airlines won't have any customers if they're required to strip search them or nail the bathrooms shut on all flights.

In parallel, it's my hunch that the nation is saturated with news and alarms about security. From gaffes at the national labs, to the Government Accounting Office's stream of reports on poor computer security in various agencies, to Bret McDanel who warned co-workers at his former employer that their e-mail was compromised and had to spend sixteen months in prison before justice finally realized he had done no wrong, the word is always present. Security is too porous, people are screwing up, procedures are rotten, problems are going to be exploited and the house of cards is destined to collapse.

Maybe it's all true.

However, in the rush to publicize that which must be fixed right away the story poorly told is that the infrastructure is managed and kept stable by a just-in-time come-as-you-are workforce. And as a practice -- even though this looks wobbly -- globally and over time, it works.

In the past, I've called this laissez faire computer security, but that's not entirely accurate. It doesn't give nearly enough credit to the people who daily keep their bailiwicks running, clean up after the mistakes of others and work collegially across borders to put out whatever electronic fire must be put out.

Such tenacity and resilience cannot be measured in government reports, although the cost of their overtime labor is always said to be crippling during computer virus outbreaks or surges in the emergency application of serial Microsoft patches. One could just as well discount such alleged expense with the argument that the people are always engaged in productive work, and that we'd see the real cost of network insecurities only if the entire fix-it crew were to permanently disappear all at once.

And the Nathaniel Heatwoles of security, while doing their spot test things, cannot give us an idea about the survivability of a system that during crisis is critically dependent upon people. There's an obvious difference between the galvanizing effect of hiding boxcutters in the bathroom and actually coming out of the watercloset brandishing them. Similarly, describing how a virus can evade anti-virus updates and circle the globe in a flash doesn't really describe its fight vs. people-with-networks and the probable outcome as it transpires.

The challenge to security men and women is to separate being part of a process that is ostensibly about security, but without hope of bettering it, from the thankless work of combining ingenuity with the networked world's equivalents of spit and bailing wire. Should you be a showman if you think no one is paying attention? How effective is sowing suspicion and fear of things to come as a security tool? Or is getting pretty good at just gettin' by fine?

Whatever the answer over the next few years, it'll have to do.

Copyright © SecurityFocus

George Smith is a Senior Fellow at GlobalSecurity.org, a defense affairs think tank and public information group. He also edits the Crypt Newsletter and has written extensively on viruses, the genesis of techno-legends and the impact of both on society.

Secure remote control for conventional and virtual desktops

More from The Register

next story
One HUNDRED FAMOUS LADIES exposed NUDE online
Celebrity women victimised as Apple iCloud accounts reportedly popped
Rubbish WPS config sees WiFi router keys popped in seconds
Another day, another way in to your home router
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NZ Justice Minister scalped as hacker leaks emails
Grab your popcorn: Subterfuge and slur disrupts election run up
HP: NORKS' cyber spying efforts actually a credible cyberthreat
'Sophisticated' spies, DIY tech and a TROLL ARMY – report
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.